Computerworld – Two separate enforcement actions taken this week by the U.S. Department of Health and Human Services for HIPAA privacy violations should serve as a warning to all healthcare entities, say privacy analysts.

The agency announced on Thursday that it had imposed a civil monetary penalty of $4.3 million on health insurer Cignet Health for violating the Health Insurance Portability and Accountability Act’s privacy provisions.

This week’s other enforcement action involved Massachusetts General Hospital, which agreed to pay HHS a total of $1 million to settle potential HIPAA privacy violations.

The action against Cignet represented the first time since HIPAA became law that such a fine has been imposed on an organization in the healthcare field over a privacy violation.

HHS said the fine was levied on Cignet for two reasons: It did not give 41 patients access to their medical records when they asked for it, and it did not subsequently cooperate with an investigation into the matter by HHS’s Office for Civil Rights (OCR)…

…The actions could be a sign that HHS is getting serious about enforcing HIPAA’s privacy requirements more stringently, said Deborah Peel, founder and chairwoman of the Patient Privacy Rights Foundation.

These actions are among “the most significant things that the administration has done for patient privacy,” Peel said.

Both HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed as part of the 2009 stimulus package, contain provisions for protecting the privacy and security of patient data.

“But nobody has been paying attention to them. It’s like mass civil disobedience by industry,” Peel said. “So this is incredibly welcome for patients.”